Headline
CVE-2022-33746
P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33746 / XSA-410 version 3 P2M pool freeing may take excessively long UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. IMPACT ====== A group of collaborating guests can cause the temporary locking up of a CPU, potentially leading to a Denial of Service (DoS) affecting the entire host. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. x86 HVM and PVH guests as well as Arm guests can trigger the vulnerability. x86 PV guests cannot trigger the vulnerability. MITIGATION ========== Running only PV guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa410/xsa410-??.patch xen-unstable xsa410/xsa410-4.16-??.patch Xen 4.16.x - 4.15.x xsa410/xsa410-4.14-??.patch Xen 4.14.x xsa410/xsa410-4.13-??.patch Xen 4.13.x $ sha256sum xsa410* xsa410*/* 70b2f2c880b30094c9bdbd3ae4b20b32acfc8daf94d5add5884998ff20ffc0e7 xsa410.meta 632f4d71bc9dfc5ddcf649b1e484a918b4cb3d270dedad3b904bf4552318ae0d xsa410/xsa410-01.patch a2c1e6871a76b9d0c7f54b5557c6d0e1a02423bca5b27354aa7e872b0016047e xsa410/xsa410-02.patch 61b8c71ad199dfa9762e739a592aa0a7f3b79d42e88d80a9589a993c768352be xsa410/xsa410-03.patch fb11b3d730bb665add2447b8f2258755604ce51e0ccc0731cddd938a538b051f xsa410/xsa410-4.13-01.patch ce5e780fdd162a1961fb0d51ccd7db8c3b2cedcee444ee3a58569bd8bbcfd6e8 xsa410/xsa410-4.13-02.patch 33514a6bf40d6c73fa7ca064b3e0401048f87eecbd007601bca6943b58f5c4b5 xsa410/xsa410-4.13-03.patch af7d5eeda27e789c91e39b58110b25b668ecc241ed87bf4d75d9ff2bf647c660 xsa410/xsa410-4.13-04.patch 972e95787d635056bb0476bff990af0957d9669b4b4948975a74ed085b9fdc38 xsa410/xsa410-4.13-05.patch 4587ff1246f1ea59053e76cdded0e42aba8e747123c8b37b7fe4e03f39d3a447 xsa410/xsa410-4.13-06.patch 99a2a83ea89aa0a79c3cd938917d6b7de1e7e52ec744fb2e0ed1ed2a577cb203 xsa410/xsa410-4.13-07.patch b36cc0d96111dbf65b7fefbce5fe9c5fe737dca24453f10f76253ce5bdcbb37d xsa410/xsa410-4.13-08.patch b548a1ba8082e5dbb35943bbacc5391766343c373c6edd2eb96d430cacdac00b xsa410/xsa410-4.13-09.patch 9fae7cf66cb298737ad5f021c349291ec84f8de83d02a9b814967fb97b85ad1f xsa410/xsa410-4.13-10.patch 0b91fcfc0a29428cfc06f4f1ddb01f5d1e7f144eae05635f2e9ef46dd7b33f0a xsa410/xsa410-4.14-01.patch a7a7e7e9529e91454035ad468c46faae34638be1f5f0694e1fe352c6c1acff06 xsa410/xsa410-4.14-02.patch 75bb2296a9f8adeb0ae3fc330f158614aab94a9263aba99730fe31d71be93d62 xsa410/xsa410-4.14-03.patch 8ad3dc1957fdb440e0bbd3b8e17286361ddfa6bb748ba6d48cc85ca8e88862ba xsa410/xsa410-4.14-04.patch 5aba547158d8f182eb8a148a03c3c69741d264b568a80b349c34b99e36e75647 xsa410/xsa410-4.14-05.patch 5b343f47ce34c53a0cf300a05ccd6898f695e62ced4b0f14d64c9947c8c17250 xsa410/xsa410-4.14-06.patch d34f3107061f13fdd1338d78544584d3509f8f7dabde78027f308c934cfeeb10 xsa410/xsa410-4.14-07.patch 8ccce0e109f6e0957643a04c822b7637b2cc7094ab73c4b19898657c05282f76 xsa410/xsa410-4.14-08.patch ca3116eb10b4ea29a4e5ce97a40d0f504418a8cd890fa49fb4ddf6c3acba9a9b xsa410/xsa410-4.14-09.patch ec1ad7529e6406f7fff9ebe35caf64419e360feadc9fae4ea679bff88238eefa xsa410/xsa410-4.14-10.patch 27857174e10917e02c6b9c6b8c29d5510c308035462a9a18bcdfebcef8c1e7af xsa410/xsa410-4.16-01.patch 7fc330e398e99023f9875004409ae4cb3943b15338662c242887f593d909e271 xsa410/xsa410-4.16-02.patch 9a72aaef6a65ec984022590c5e1bb39527873df4607604746d0a0b91636271d8 xsa410/xsa410-4.16-03.patch 4dffbb2e5933c18426e6ce0cbba94c42637f59b8cec03aad2bfc54d81c49d3e3 xsa410/xsa410-4.16-04.patch 2e5d91e3e5e0e7a294caada1399e017487063642bbb42bddfa5169db6faab37e xsa410/xsa410-4.16-05.patch 8174d9ed5f633f5a043084bf0cfb08211173f1afbfc5240c306bffa69c883595 xsa410/xsa410-4.16-06.patch b78792bd0d51a8e18d570d225df556f2099272cab00f1cb95bbbb4c08d299ce1 xsa410/xsa410-4.16-07.patch 1f3f14bf3091e685cf6ac530baf7bd060586cf3db330ba1218d1048eb672d6eb xsa410/xsa410-4.16-08.patch 63af35d559156436276967c94b3402982914b0fdd77187ff5b0bbf3dda356589 xsa410/xsa410-4.16-09.patch 85e8da807225df97583f5331491f29ecea059ce770c59a1a898a4b19b838f0c1 xsa410/xsa410-4.16-10.patch 6cf86d574ff45719659ed23af352fdc64d6563434057b733ac46ec6d5c758a3f xsa410/xsa410-04.patch 296d38e69eebab2985cdab70419ca5fd73380d94b35c96fa7f6820fead59bf95 xsa410/xsa410-05.patch e590762c70faad493b4e95c9f747ad9c3b313233f1b0aba3e81df5f40565cc51 xsa410/xsa410-06.patch 28164010d988fb590c7b22ef7f3571142660ec975ee8709f28fe310f220f7b08 xsa410/xsa410-07.patch 0ad43b452e5aef2657f311b6fa2fbc1eb07702d08c78878b1e614c573606feeb xsa410/xsa410-08.patch 04f02d9b06f74a8921557196b39c2cf3dd8fd7bf0c1f350d0c55d8d49187e9a7 xsa410/xsa410-09.patch a67ae39583867ed5d3900c4b45e2e32e9ac4ec58298c6508cedb273e9b7caf4b xsa410/xsa410-10.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFS/4MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZFn8H/AlU50r9Lk0QaxVbvuKVir3rVgP+QURgVeHMTcuj UbNpjasPjQMbT9vzTPtIN+b59J0FwhWWZRIcZhYX6sPC/L9eAomUiFnVOe9Jmyec cv0gpn/fWum850A9/cZ+F3wNNmgbHcm+uLvCWM11vO79kUMzKmCeDGguU5cgbmBo hiNNL/mUEnu5QQn+jXolFCCA+CzlSJLg+tJwZn0il6dIf7z9d2yAxJRMUHF8s/c3 d23+6kTxLkfdnkGuwxkEVcSCaBN6YCGPaUy4AaQYzqPun/hcqGCsXCgK7X+iJIxq 36LWZLuqwAL80CQzEnMkgBNpqyQiudEwbZnBSMt0nzctg1g= =EdsG -----END PGP SIGNATURE-----
Related news
Gentoo Linux Security Advisory 202402-7 - Multiple vulnerabilities have been found in Xen, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 4.16.6_pre1 are affected.
Debian Linux Security Advisory 5272-1 - Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.